Attorney Docket No.: 1033-T00534C 

CLAIM AMENDMENTS: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

1 . (Currently Amended) A method of detecting intrusion in a host via a monitoring 
daemon operating in conjunction with a configuration file defining data entities to be monitored, 
the method comprising: 

monitoring data entities via comparing a locally stored copy of a digital signature 

associated with each data entity against a corresponding digital signature stored in 
a first remote database; and 

upon identifying a mismatch in compared digital signatures, issuing an instruction to 
record an entry in a log file located in a second remote database, said entry 
identifying a possible intrusion in a host[[.]] , and issuing a command to an 
operating system of said host to bring said host to a single user state. 

2. (Currently Amended) The method of claim 1, further comprising issuing a command to 
bring down said one or more network interfaces^f^dhost to isolate said host upon identifying 
the mismatch in compared digital signatures. 

3. (Cancelled). 

4. (Previously Presented) The method of claim 1 , wherein said first remote database and 
said second remote database are located on a single server or a plurality of servers belonging to a 
local area network. 

5. (Previously Presented) The method of claim 1, wherein communications between said 
host and first remote database are encrypted. 

6. (Previously Presented) The method of claim 1, wherein communications between said 
host and second remote database are encrypted. 
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7. (Previously Presented) The method of claim 1, wherein said digital signature is an 
MD5 signature and said first remote database is an MD5 database. 

8. (Previously Presented) The method of claim 1, wherein said second remote database is 
a SYSLOG database. 

9. (Previously Presented) The method of claim 1, wherein said data entities comprise one 
or more of files, configuration files, and directories. 

10. (Currently Amended) A system to detect intrusion comprising: 

a host running a monitoring daemon working in conjunction with a configuration file, 

said configuration file identifying files and directories to be monitored in said host 
and said host communicating with external networks via one or more network 
interfaces, said monitoring daemon dynamically monitoring said files and 
directories identified by said configuration file by comparing a locally stored 
digital signature corresponding to each file or directory against a remotely stored 
corresponding digital signature; 

a digital signature database remote from said host storing said digital signatures 

associated with files and directories identified by said configuration file; and 

a log database remote from said host recording entries corresponding to mismatches 
between a digital signature stored in said host and a corresponding digital 
signature in said digital signature database[[.]] a 

wherein a mismatch identifies a possible intrusion in the host, resultin g in a command 

being issued to an operating system of said host to bring said host to a single user 
state. 

m im m — m i i i i 

1 1 . (Currently Amended) The system to detect intrusion as per of claim 10, wherein said 
digital signature database and said log database are located on a single server or a plurality of 
servers belonging to a local area network. 

12. (Currently Amended) The system to detect intrusion as p e r of claim 10, wherein 
communications between said host and said digital signature database are encrypted. 
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13. (Currently Amended) The system to detect intrusion as per of claim 10, wherein 
communications between said host and log database are encrypted. 

14. (Currently Amended) The system to detect intrusion as per of claim 10, wherein said 
digital signature is an MD5 signature and said first remote database is an MD5 database. 



15. (Currently Amended) An article of manufacture comprising a computer usable 
medium having computer readable program code embedded therein to detect intrusion in a host 
via a monitoring daemon operating in conjunction with a configuration file defining data entities 
to be monitored, said medium comprising: 

computer readable program code comprising executable instructions to monitor data 

entities via comparing a locally stored copy of a digital signature associated with 
each data entity against a corresponding digital signature stored in a first remote 
database; and 

computer readable program code comprising executable instructions to issue an 

instruction to record an entry in a log file located in a second remote database 
upon identifying a mismatch in compared digital signatures, said entry identifying 
a possible intrusion in a host [[.]] ; and 

computer readable program code comprising executable instructions to issue a command 
to an operating system of said host to bring said host to a single user state upon 
identifying the mismatch in compared di gital signatures. 

16. (Currently Amended) The article of manufacture as per claim of 15 further 
comprising computer readable program code comprising executable instructions to issue a 
command to bring down one or more network interfaces to isolate said host upon identifying the 
mismatch in compared digital signatures. 



17. (Cancelled). 
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18. (Currently Amended) An intrusion detection and isolation method implemented using 
a monitoring daemon in a host, said host having one or more network interfaces to communicate 
over one or more networks, said method comprising: 

reading a configuration file to identify data entities to be monitored on a host; 

for each data entity to be monitored, extracting a digital signature from said host; 

for each data entity to be monitored, querying a remote digital signature database via said 

one or more network interfaces and requesting a digital signature corresponding 

to said digital signature extracted from said host; 
for each data entity to be monitored, receiving said corresponding digital signature from 

said remote digital signature database; 
matching digital signature received from said remote digital signature database with 

digital signature extracted at said host; 
upon identifying a mismatch, transmitting an instruction to a remote log database via said 

one or more network interfaces, said instruction executed in said remote log 

database to record an entry in a log file indicating a possible intrusion in said host; 

and 

performing at least on e of th e following: 

issuing a command to bring down said one or more network interfaces to isolate 
said host; and 

issuing a command to an operating system of said host to bring said host to a single user 
state. 

19. (Currently Amended) The intrusion detection and isolation method impl e ment e d 
using a monitoring daemon in a host, as per of claim 18, wherein said digital signature database 
and said log database are located on a single server or a plurality of servers belonging to a local 
area network. 

20. (Currently Amended) The intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per of claim 18, wherein communications between said 
host and digital signature database are encrypted. 
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2 1 . (Currently Amended) The intrusion detection and isolation method implem e nted 
using a monitoring daemon in a host, as per of claim 1 8, wherein communications between said 
host and log database are encrypted. 

22. (Currently Amended) The intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per of claim 18, wherein said digital signature database 
is an MD5 database. 

23. (Currently Amended) The intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per of claim 1 8, wherein said log database is a SYSLOG 
database. 

24. (Currently Amended) The intrusion detection and isolation method implemented 
using a monitoring daemon in a host, as per of claim 18, wherein said data entities are any of the 
following: system files, configuration files, or directories. 

25. (New) The intrusion detection and isolation method of claim 18, further comprising 
issuing a command to bring down said one or more network interfaces to isolate said host. 



Page 6 of 13 



U.S.App.No.: 10/605,689 



